Steering Committee

It is imperative for the governance of the BC programme that a Business Continuity Steering Committee (BCSC) is appointed. Because Business Continuity Management is concerned with infrequent but potentially catastrophic events, it can be overlooked as individuals within the organisation are pressed by their day-to-day responsibilities. When this occurs the Business Continuity Plan can decay and become increasingly irrelevant to the organisation. The implementation of a Business Continuity Steering Committee ensures that the organisation’s Business Continuity Plans are regularly considered, reviewed, tested and updated when organisational change occurs.

This group comprises the most senior managers from the organisation and each key department must be represented. The BCSC should be lead by the senior manager with responsibility for BCM. NIST 800-34 suggests that this might be the Chief Information Officer. BS 25999-1 states that the responsibility for BCM should be assigned to the owner, a board director or elected representative. The profile of a typical BCSC is shown below. Each box represents a role rather than a management position, therefore more than one role may be held by the same person.

The Business Continuity Steering Committee are tasked with making strategic recovery and continuity planning decisions for the organisation and will sign off on each stage of the programme. Unlike the usual project management steering committee, which is disbanded on completion of the project, this committee is permanent [TR 19:2005].

The BCSC should meet regularly at suitable intervals during and after the implementation programme. It is likely that the meeting interval would lengthen once the BC programme has been completed. Suggested meeting frequencies are monthly during the implementation phase of the programme and quarterly once the BCP has been delivered and BCM is part of everyday organisational management.

Most experienced Business Continuity Managers would state that implementation of successful BCM is dependent upon having senior management “buying in” from the very start of the programme.

Strategic management of an incident is carried out by the Senior Management Team (strategic/gold level incident team – see Section Senior management team). It is very likely that some or all of the members of the BCSC or their deputies would become members of the Senior Management Team during an incident. Given the seniority of the members of the BCSC, it is unlikely that they would become members of the Incident Management Team (tactical/silver level incident team – see Section Incident management team).

References

The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe.

ENISA is contributing to a high level of network and information security (NIS) within the European Union, by developing and promoting a culture of NIS in society to assist in the proper functioning of the internal market.